Understood. Our situation is that we have a SSO product in front of our App servers injecting header information into what I thought was the response headers. I can't check because I can't list the response headers, only the request headers...

A common approach to this is to wrap the response with your own class that overrides the setHeader method. This is common enough that the servlet spec provides an HttpServletRequestWrapper, and an HttpServletResponseWrapper class to help eliminate a lot of dumb typing.